Linux distros will often come with at least a basic firewall bundled with it. Often this won't be active by default so will need to be activated.
Additionally this will likely be the standard Iptables supplied, even though less experienced users may struggle with it. UFW - Uncomplicated Firewall is also bundled with some distros, and aims to make the process simpler.
However, there are distros and applications out there that can cater for the more advanced user and the less experienced one, making it easier to setup and configure a firewall that works for your needs.
Some, like ClearOS build it directly into the operating system as part of its security focus, but most other options would be applications that aim to block rogue IPs, monitor ports, and prevent otherwise prevent bad packets from interfering with your machine.
For most home users there are few actual settings that need to be customized, so simple apps can be popular, but for those looking to manage their machine as a server, additional controls and advanced command options will tend to be the more welcome.
Here we'll feature the best in free Linux firewalls.
- These are the best Linux training providers and online courses
- 5 of the most popular Linux gaming distros
- What's the best Linux distro for beginners?
- 10 of the best lightweight Linux distros
A well thought-out distro that's refreshingly easy-to-use
ClearOS is by far the sleekest looking firewall distro in this roundup. It's obvious that a lot of time and care has gone into developing the interface.
As most firewall distros are written for the stereotypical geek, it's nice to see a refreshing change in what seems to have become the de facto standard of 'cobble it together and think about the interface afterwards'. This said, ClearOS will run quite happily from the command line for more advanced users.
The installation is painless and takes around 10 minutes to complete. You're given the choice to start in Public Server or Gateway mode, depending on how you want to use ClearOS.
Once done, reboot and you'll be given all the info you need to access and administer your new firewall remotely. Everything is straightforward – it's obvious that a lot of thought has gone into making ClearOS as easy-to-use as possible.
Once you've completed setup and accessed the web-based admin system, it doesn't take long to familiarise yourself with the various settings and features of ClearOS as the distro provides ‘Getting Started’ help once you log in to the web interface. Setting up firewall rules is quick and painless, as is much of the other configuration.
The most pertinent feature of ClearOS is its usability, but this distro is about a lot more than just sleek looks. It packs in plenty of features as well – not only does it give you a simple, clean way to manage a firewall, but it enables the addition of extra services to your network.
Overall, ClearOS is a powerful distro. As it's available in both free 'Community' and paid 'Professional' versions, it's perfect for both homes and small businesses.
A solid firewall that provides a lot of details about your network setup
This distro, while entirely separate from IPFire, uses a helpful colour-coding scheme similar to the latter, in order to represent different connections. Green is for LAN, red for the internet, orange for DMZ, and blue for wireless clients.
IPCop was originally a fork of Smoothwall (which we’ll also cover later) and was in turn forked by the IPFire team as updates to IPCop are few and far between. The most recent version (2.1.9) was released in February 2015.
Installation is relatively straightforward, but there are some wildcard questions thrown into the mix. While these may puzzle the novice user, accepting the default options won't cause any issues unless you have a very specific network configuration. One of the main advantages of IPCop is that the installation image is very small (around 60MB) and can be copied onto a DVD or flash drive.
IPCop's web interface feels clunky, although our tests proved that this was merely psychological, because it was actually incredibly responsive. However, other than the 'real-time' graphs that Smoothwall provides, IPCop gives a lot more information about your LAN setup, and about the running of the firewall itself, including a list of the connections that are currently open.
The Firewall also provides a 'caching proxy', so that you can cache frequently accessed pages locally.
IPCop does a good job as a firewall, giving plenty of information about traffic on your network, and while it might not be the prettiest distro in the world, it does what it's designed to do.
Security-minded fork of the original pfSense project
OPNsense is an easy-to-use open source firewall based on FreeBSD 10.1 to ensure long-term support. Obviously enough, the project’s name is derived from the words 'open' and 'sense', standing for: ‘Open source makes sense.’
The OPNsense project started out as a fork of the more established firewall pfSense in January 2015. The team claimed their reasons for forking the project were partly due to the type of licence pfSense used at the time, and partly because they believed they could create a more secure firewall.
OPNsense offers weekly security updates so can respond quickly to threats. It contains many advanced features you'd usually find only in commercial firewalls such as forward caching proxy and intrusion detection. It also supports using OpenVPN.
OPNsense incorporates a very rich GUI written in Phalcon PHP which is a real pleasure to use. Aside from being more appealing than pfSense's interface, OPNsense was created partly due to the fact that the team felt the graphical interface shouldn't have root access, as this can cause security issues.
The GUI has a simple search bar as well as a new System Health module. This module is interactive and provides visual feedback when analysing your network. You can also now export your data in CSV format for further analysis.
The firewall uses an Inline Intrusion Prevention System. This is a powerful form of Deep Packet Inspection whereby instead of merely blocking an IP address or port, OPNsense can inspect individual data packets or connections and stop them before they reach the sender if necessary. OPNsense also offers LibreSSL over OpenSSL.
An easy-to-use firewall with some super-advanced features
IPFire is a Linux firewall distro focusing on user-friendliness and easy setup without compromising your security, supporting some useful features such as intrusion detection. IPFire takes a serious approach to security by using an SPI (Stateful Packet Inspection) Firewall built on top of netfilter.
IPFire is specifically designed for people who are new to firewalls and networking, and can be set up in minutes. The installation process allows you to configure your network into different security segments, with each segment being colour-coded. The green segment is a safe area representing all normal clients connected to the local wired network. The red segment represents the internet.
No traffic can pass from red to any other segment unless you have specifically configured it that way in the firewall. The default setup is for a device with two network cards with a red and green segment only. However, during the setup process you can also implement a blue segment for wireless connections and an orange one known as the DMZ for any public servers.
Once setup is complete, you can configure additional options and add-ons through an intuitive web interface.
The most complete firewall distribution here
Like OPNsense, pfSense is based on FreeBSD and designed specifically to work as a firewall and router. As we’ve mentioned already, the fork between these two projects was controversial and pfSense still has many loyal users. Updates are released quarterly.
This distro runs on a range of hardware but currently only supports x86 architecture. The website has a handy hardware guide to allow you to choose a compatible device.
The installation is done from a command line but it’s very simple. You can choose to boot from either a CD or USB drive.
The setup assistant will ask you to assign interfaces during the installation, rather than once you've booted to the web interface. You can use the auto-detect feature to work out which network card is which.
The firewall has a small number of built-in features, such as multi-WAN, Dynamic DNS, hardware failover, and different methods of authentication. Unlike IPFire, pfSense already has a feature for a captive portal, whereby all DNS queries can be resolved to a single IP address such as a landing page for a public Wi-Fi hotspot.
This distro has a clean interface and is very smooth to use. Once again, as it's based on BSD, some of the terminology used is confusing, but doesn't take long to get to grips with.
pfSense is possibly the most feature-rich firewall distro out there, but falls down due to a lack of non-firewall-related extra features. If you're just after a simple firewall, you can't go wrong by choosing pfSense, but if you need anything above and beyond that basic functionality, you may want to consider one of the other distros.
A great firewall that's commendably user-friendly
Smoothwall Express is probably the most well-known firewall distro. To test this, we did a quick poll of 20 Linux geeks, asking them to name a firewall distro. 19 of them came up with Smoothwall first.
The installation of Smoothwall Express is text-based, but you don't need to be familiar with the Linux console and it’s all fairly straightforward. You may prefer to download or indeed print out the installation guide to walk you through the setup process. In order to do this you'll need to create a my.smoothwall profile.
There are three installation options: Standard, Developer and Express. Developer is reserved for those people who actually want to work on coding the Smoothwall project. Express is a stripped-down version of Smoothwall which ensures maximum compatibility with older hardware.
Unless you have a very specific network configuration, you can usually accept the default options.
The web-based control panel is simple and easy to understand. Smoothwall Express doesn't provide much in the way of extra features, but does allow you to have a separate account to control the main connection, which is especially useful if you're using dial-up, alongside its caching web proxy service.
One of the benefits of Smoothwall Express is the simplicity it offers when running internal DNS – adding a new hostname takes only a few seconds. Assigning static IPs and enabling remote access can also be accomplished with a few mouse clicks.
The only issue we noticed during testing was that assigning static DHCP lease assignments requires you to click Add followed by Save, and it isn't particularly obvious that you have to perform the second step. This led to a fair bit of confusion with our network attached printers jumping from one IP address to another.
Choosing the right firewall distro is largely dependent on your specific requirements, but whatever they may be, having protection from a firewall is simply a matter of common sense given the multitude of dangers on the internet these days. That said, aside from basic protection, once your firewall is installed it can also be helpful to have a few extra features for good measure.
Just a firewall
If you're after a basic firewall, then all of the distros here will do a good job, with some performing better than others. If this sounds like you, you can't go wrong with IPFire, which probably has the easiest setup process.
Failing that, IPCop and Smoothwall Express are excellent options if you're not after anything too complex. If you need a commercial-grade solution and have money to burn, check out Smoothwall's paid-for arm.
If you want something with a small footprint, or to run on an embedded device, pfSense's website contains helpful guides to do this, although it will only run on x86 architectures. For other types of hardware, consider IPFire.
For us, however, a box in the corner that isn't being used to its full extent is a wasted box. This is why we prefer to use virtualisation, whereby the firewall can run as a virtual server on the same hardware you use for web browsing.
While ClearOS remains the most powerful firewall, virtualisation is not as easy as it is with other firewall distros such as IPFire. And this, combined with the fact that IPFire allows easy customisation through its own add-on service Pakfire, means it’s the narrow winner over ClearOS, receiving our gold medal.
Nevertheless, Smoothwall Express deserves an honourable mention. It's the only firewall that once installed will keep on running with minimal prompting and interference from you. If you ever need to locate specific settings, these are simple to find as well.